How to create a CSR with OpenSSL

OpenSSL is available on many platforms
(for Windows binaries e.g., see http://www.openssl.org/related/binaries.html")
and can be used to generate a key pair and a CSR. The most convenient way,
in our opinion, is to write a short OpenSSL configuration file which you
feed to the openssl req command afterwards (but
feel free to use an alternative procedure if you prefer).

Create a text file named myserver.cnf
(where myserver is supposed to denote the name/FQDN of your server)
with the following content:

The CN attribute is the only attribute which must always
be specified in a CSR for a SWITCHpki server certificate. All other attributes
are optional (as far as the CSR is concerned), but some of them will automatically
be added to the issued certificate, if needed: C (countryName),
ST (stateOrProvinceName), L (localityName) and
O (organizationName). If desired, an OU
(organizationalUnit) attribute can be included in the request.

The CN attribute must be set to the fully qualified domain name
of your server - i.e. www.example.com, www.subdomain.example.com
or similar. The ALTNAMES line can be used to specify subjectAltName entries
if you prefer specifying them this way (otherwise, simply use the text field
on the enrollment form).

Then, after having saved the myserver.cnf file, create the key pair and the CSR
with the following command(s):

This will create a 2048-bit RSA key pair, store the private key in the file
myserver.key and write the CSR to the file myserver.csr.
The private key is stored with no passphrase. Changing the permissions to 600
(i.e. -rw-------) restricts access to the (confidential) private key to the owner
of the file (on a non-UNIX system, use a directory with restrictive file ACLs or equivalent).